mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-03 05:26:40 -04:00
6c0f2940c3
Backport of #11968 to release/10. Treats tarball-integrity mismatches against the lockfile as a hard failure by default; `--update-checksums` is the only opt-in. `--force` and `pnpm update` deliberately do not bypass the integrity check. 🤖 Written by an agent (Claude Code, claude-opus-4-7).
108 lines
4.3 KiB
TypeScript
108 lines
4.3 KiB
TypeScript
import { WANTED_LOCKFILE } from '@pnpm/constants'
|
|
import { type TarballResolution } from '@pnpm/lockfile.fs'
|
|
import { prepareEmpty } from '@pnpm/prepare'
|
|
import { addDistTag } from '@pnpm/registry-mock'
|
|
import { type ProjectRootDir } from '@pnpm/types'
|
|
import { sync as rimraf } from '@zkochan/rimraf'
|
|
import clone from 'ramda/src/clone'
|
|
import {
|
|
addDependenciesToPackage,
|
|
mutateModulesInSingleProject,
|
|
} from '@pnpm/core'
|
|
import { sync as writeYamlFile } from 'write-yaml-file'
|
|
import { testDefaults } from './utils/index.js'
|
|
|
|
test('installation fails by default if the lockfile contains a wrong checksum, but --update-checksums recovers', async () => {
|
|
await addDistTag({ package: '@pnpm.e2e/dep-of-pkg-with-1-dep', version: '100.0.0', distTag: 'latest' })
|
|
const project = prepareEmpty()
|
|
|
|
const { updatedManifest: manifest } = await addDependenciesToPackage({},
|
|
[
|
|
'@pnpm.e2e/pkg-with-1-dep@100.0.0',
|
|
],
|
|
testDefaults()
|
|
)
|
|
|
|
rimraf('node_modules')
|
|
const corruptedLockfile = project.readLockfile()
|
|
const correctLockfile = clone(corruptedLockfile)
|
|
// breaking the lockfile
|
|
;(corruptedLockfile.packages['@pnpm.e2e/pkg-with-1-dep@100.0.0'].resolution as TarballResolution).integrity = (corruptedLockfile.packages['@pnpm.e2e/dep-of-pkg-with-1-dep@100.0.0'].resolution as TarballResolution).integrity
|
|
writeYamlFile(WANTED_LOCKFILE, corruptedLockfile, { lineWidth: 1000 })
|
|
|
|
await expect(mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({ frozenLockfile: true }, { retry: { retries: 0 } }))).rejects.toThrowError(/Got unexpected checksum for/)
|
|
|
|
await expect(mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({}, { retry: { retries: 0 } }))).rejects.toThrowError(/Got unexpected checksum for/)
|
|
|
|
await mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({ updateChecksums: true }, { retry: { retries: 0 } }))
|
|
|
|
expect(project.readLockfile()).toStrictEqual(correctLockfile)
|
|
|
|
// Breaking the lockfile again
|
|
writeYamlFile(WANTED_LOCKFILE, corruptedLockfile, { lineWidth: 1000 })
|
|
|
|
rimraf('node_modules')
|
|
|
|
// --force is NOT an opt-in: it should still fail.
|
|
await expect(mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({ force: true }, { retry: { retries: 0 } }))).rejects.toThrowError(/Got unexpected checksum for/)
|
|
})
|
|
|
|
test('installation fails by default if the lockfile contains the wrong checksum and the store is clean', async () => {
|
|
await addDistTag({ package: '@pnpm.e2e/dep-of-pkg-with-1-dep', version: '100.0.0', distTag: 'latest' })
|
|
const project = prepareEmpty()
|
|
|
|
const { updatedManifest: manifest } = await addDependenciesToPackage({},
|
|
[
|
|
'@pnpm.e2e/pkg-with-1-dep@100.0.0',
|
|
],
|
|
testDefaults({ lockfileOnly: true })
|
|
)
|
|
|
|
const corruptedLockfile = project.readLockfile()
|
|
const correctIntegrity = (corruptedLockfile.packages['@pnpm.e2e/pkg-with-1-dep@100.0.0'].resolution as TarballResolution).integrity
|
|
// breaking the lockfile
|
|
;(corruptedLockfile.packages['@pnpm.e2e/pkg-with-1-dep@100.0.0'].resolution as TarballResolution).integrity = 'sha512-pl8WtlGAnoIQ7gPxT187/YwhKRnsFBR4h0YY+v0FPQjT5WPuZbI9dPRaKWgKBFOqWHylJ8EyPy34V5u9YArfng=='
|
|
writeYamlFile(WANTED_LOCKFILE, corruptedLockfile, { lineWidth: 1000 })
|
|
|
|
await expect(
|
|
mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({ frozenLockfile: true }, { retry: { retries: 0 } }))
|
|
).rejects.toThrowError(/Got unexpected checksum/)
|
|
|
|
await expect(mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({}, { retry: { retries: 0 } }))).rejects.toThrowError(/Got unexpected checksum/)
|
|
|
|
await mutateModulesInSingleProject({
|
|
manifest,
|
|
mutation: 'install',
|
|
rootDir: process.cwd() as ProjectRootDir,
|
|
}, testDefaults({ updateChecksums: true }, { retry: { retries: 0 } }))
|
|
|
|
{
|
|
const lockfile = project.readLockfile()
|
|
expect((lockfile.packages['@pnpm.e2e/pkg-with-1-dep@100.0.0'].resolution as TarballResolution).integrity).toBe(correctIntegrity)
|
|
}
|
|
})
|